"Autosave by URL" associated risks

Knowledge Article Number

000176169

Description

When Cross Site Request Forgery (CSRF) token validation is disabled, Salesforce customers can have custom links/buttons that use the URL to close a case with one click. However, this is a security risk as it opens up the application to CSRF attacks.

Resolution

NOTE: This is considered a URL hack and it's not supported by Salesforce. Using undocumented query strings is strongly discouraged because Salesforce can change them at any time without notice. Instead, this functionality can be implemented by using the Force.com AJAX toolkit or a Visualforce page with a custom controller.

Salesforce has implemented several features to prevent Cross-Site Request Forgery (CSRF). As an example, when a browser makes a request, a one-time token is attached to prevent CSRF attacks. This also prevents the use of the URL modifier, "/{!CaseId}/s?save=1&cas7=Closed" since clicking on it would generate a GET request without the CSRF token.

While Salesforce Support can disable the validation of the token on GET requests, this opens up the Salesforce application to CSRF attacks. We strongly recommend that this feature remain enabled.

After considering the risks associated with this hack, if you'd still like to proceed with disabling the security feature, submit a case that contains the following statement/request:

"Please disable the validation of the CSRF token on GET requests. I acknowledge I understand that my organisation may be potentially exposed to CSRF attacks, and I will continue without the feature at my own risk."